Traffic analysis

Traffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted. In general, the greater the number of messages observed, the greater information be inferred. Traffic analysis can be performed in the context of military intelligence, counter-intelligence, or pattern-of-life analysis, and is also a concern in computer security.

Traffic analysis tasks may be supported by dedicated computer software programs. Advanced traffic analysis techniques which may include various forms of social network analysis.

Traffic analysis has historically been a vital technique in cryptanalysis, especially when the attempted crack depends on successfully seeding a known-plaintext attack, which often requires an inspired guess based on how specific the operational context might likely influence what an adversary communicates, which may be sufficient to establish a short crib.

Breaking the anonymity of networks

Traffic analysis method can be used to break the anonymity of anonymous networks, e.g., TORs.

While traditionally information gathering in COMINT is derived from intercepting transmissions, tapping the target's communications and monitoring the content of conversations, the metadata intelligence is not based on content but on technical communicational data.

Non-content COMINT is usually used to deduce information about the user of a certain transmitter, such as locations, contacts, activity volume, routine and its exceptions.

Examples

For example, if an emitter is known as the radio transmitter of a certain unit, and by using direction finding (DF) tools, the position of the emitter is locatable, the change of locations from one point to another can be deduced, without listening to any orders or reports. If one unit reports back to a command on a certain pattern, and another unit reports on the same pattern to the same command, the two units are probably related. That conclusion is based on the metadata of the two units' transmissions, not on the content of their transmissions.

Using all or as much of the metadata available is commonly used to build up an Electronic Order of Battle (EOB) by mapping different entities in the battlefield and their connections. Of course, the EOB could be built by tapping all the conversations and trying to understand, which unit is where, but using the metadata with an automatic analysis tool enables a much faster and accurate EOB build-up, which, alongside tapping, builds a much better and complete picture.

World War I

British analysts during World War I noticed that the call sign of German Vice Admiral Reinhard Scheer, commanding the hostile fleet, had been transferred to a land station. Admiral of the Fleet Beatty, ignorant of Scheer's practice of changing call signs upon leaving harbour, dismissed its importance and disregarded Room 40 analysts' attempts to make the point. The German fleet sortied, and the British were late in meeting them at the Battle of Jutland. If traffic analysis had been taken more seriously, the British might have done better than a "draw".
French military intelligence, shaped by Auguste Kerckhoffs's legacy, had erected a network of intercept stations at the Western Front in pre-war times. When the Germans crossed the frontier, the French worked out crude means for direction-finding based on intercepted signal intensity. The recording of call signs and of traffic volumes further enabled the French to identify German combat groups and to distinguish fast-moving cavalry from slower infantry.
During the planning and rehearsal for the attack on Pearl Harbor, very little traffic was passed by radio, subject to interception. The ships, units, and commands involved were all in Japan and in touch by phone, courier, signal lamp, or even flag. None of that traffic was intercepted, and could not be analyzed. however, the volume of diplomatic traffic to and from certain consular stations might have indicated places of interest to Japan, which might thus have suggested locations to concentrate traffic analysis and decryption efforts.
Admiral Nagumo's Pearl Harbor Attack Force sailed under radio silence, with its radios physically locked down. It is unclear if that deceived the US since Pacific Fleet intelligence had been unable to locate the Japanese carriers in the days immediately preceding the attack on Pearl Harbor.
Operation Quicksilver, part of the British deception plan for the Invasion of Normandy during World War II fed German intelligence a combination of true and false information about troop deployments in Britain, which caused the Germans to deduce an order of battle that suggested an invasion at the Pas-de-Calais, instead of Normandy. The fictitious divisions that were created for the deception were supplied with real radio units, which maintained a flow of messages that was consistent with the deception.

In commercial relationships

Similarly to the military aspects, commercial business relationships can also be vulnerable to traffic analysis. While the data exchanged will generally be encrypted, the mere flow of data can be informative.

Whenever communications between commercial entities pass through a third-party, such as a telecommunications service, a mediator, a consulting firm, an escrow provider, or a "trusted intermediary" for a data transaction, there is some risk of the traffic being analyzed to obtain commercial intelligence. The rise in multi-party data communications using technologies such as Dataspaces has highlighted this risk once again.

Comparable to the military examples given above, commercial examples include:

Frequent communications – can denote planning, perhaps for an acquisition, merger, or joint venture of some kind
Rapid, short communications – can denote negotiations or a very close business relationship
A slowing or stop to communication – can indicate completion of a finalized plan, or that a planned joint venture has been abandoned
Frequent communication to multiple organizations from a single organization – can highlight an informal chain of control or influence
Who talks when – can indicate which specific organizations are active in connection with events, which implies something about the information being passed and perhaps something about the personnel/access of those associated with some stations

All of this can provide valuable intelligence for stock traders, competitors, and other business associates.

These risks are well understood, and lead to the observation that two business organizations will only communicate via a third-party (which costs money) if at least one party trusts the intermediary more than they trust the other party, so far more likely for new or temporary business relationships. That fact itself can be informative.

In computer security

Traffic analysis is also a concern in computer security. An attacker can gain important information by monitoring the frequency and timing of network packets. A timing attack on the SSH protocol can use timing information to deduce information about passwords since, during interactive session, SSH transmits each keystroke as a message. The time between keystroke messages can be studied using hidden Markov models. Song, et al. claim that it can recover the password fifty times faster than a brute force attack.

Onion routing systems are used to gain anonymity. Traffic analysis can be used to attack anonymous communication systems like the Tor anonymity network. Adam Back, Ulf Möeller and Anton Stiglic present traffic analysis attacks against anonymity providing systems. Steven J. Murdoch and George Danezis from University of Cambridge presented

research showing that traffic-analysis allows adversaries to infer which nodes relay the anonymous streams. This reduces the anonymity provided by Tor. They have shown that otherwise unrelated streams can be linked back to the same initiator.

Remailer systems can also be attacked via traffic analysis. If a message is observed going to a remailing server, and an identical-length (if now anonymized) message is seen exiting the server soon after, a traffic analyst may be able to (automatically) connect the sender with the ultimate receiver. Variations of remailer operations exist that can make traffic analysis less effective.

Traffic analysis involves intercepting and scrutinizing cybersecurity threats to gather valuable insights about anonymous data flowing through the exit node. By using technique rooted in dark web crawling and specializing software, one can identify the specific characteristics of a client's network traffic within the dark web.

Countermeasures

It is difficult to defeat traffic analysis without both encrypting messages and masking the channel. When no actual messages are being sent, the channel can be masked by sending dummy traffic, similar to the encrypted traffic, thereby keeping bandwidth usage constant. "It is very hard to hide information about the size or timing of messages. The known solutions require Alice to send a continuous stream of messages at the maximum bandwidth she will ever use...This might be acceptable for military applications, but it is not for most civilian applications." The military-versus-civilian problems apply in situations where the user is charged for the volume of information sent.

Even for Internet access, where there is not a per-packet charge, Internet service providers (ISPs) make the statistical assumption that connections from user sites will not be busy 100% of the time. The user cannot simply increase the bandwidth of the link, since masking would fill that as well. If masking, which often can be built into end-to-end encryptors, becomes common practice, ISPs will have to change their traffic assumptions.

References

FMV Sweden
Multi-source data fusion in NATO coalition operations